Talk:Internet Protocol security architecture: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
(New page: {{subpages}})
 
imported>Howard C. Berkowitz
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
{{subpages}}
{{subpages}}
== Too many articles? ==
We currently have this article, [[IPSec]] which redirects here, and [[IPsec]] which goes into a lot more detail. Do we need some merging? I think there's a valid architecture/implementation distinction, so we might need two articles. However, I'm not sure the current articles fit the bill. [[User:Sandy Harris|Sandy Harris]] 04:55, 1 March 2010 (UTC)
===Good point===
I don't usually think packet formats are appropriate to an architecture. From the IETF architecture table of contents, RFC 4301, major headings:
  3. System Overview .................................................7
      3.1. What IPsec Does ............................................7
      3.2. How IPsec Works ............................................9
      3.3. Where IPsec Can Be Implemented ............................10
  4. Security Associations ..........................................11
      4.1. Definition and Scope ......................................12
      4.2. SA Functionality ..........................................16
      4.3. Combining SAs .............................................17
      4.4. Major IPsec Databases .....................................18
          4.4.1. The Security Policy Database (SPD) .................19
          4.4.2. Security Association Database (SAD) ................34
          4.4.3. Peer Authorization Database (PAD) ..................43
      4.5. SA and Key Management .....................................47
          4.5.1. Manual Techniques ..................................48
          4.5.2. Automated SA and Key Management ....................48
          4.5.3. Locating a Security Gateway ........................49
      4.6. SAs and Multicast .........................................50
  5. IP Traffic Processing ..........................................50
*Presumably transport mode gets defined here?
      5.1. Outbound IP Traffic Processing
          (protected-to-unprotected) ................................52
          5.1.1. Handling an Outbound Packet That Must Be
                  Discarded ..........................................54
          5.1.2. Header Construction for Tunnel Mode ................55
  6. ICMP Processing ................................................63
  7. Handling Fragments (on the protected side of the IPsec
      boundary) ......................................................66
      7.1. Tunnel Mode SAs that Carry Initial and Non-Initial
          Fragments .................................................67
      7.2. Separate Tunnel Mode SAs for Non-Initial Fragments ........67
      7.3. Stateful Fragment Checking ................................68
      7.4. BYPASS/DISCARD Traffic ....................................69
  8. Path MTU/DF Processing .........................................69
      8.1. DF Bit ....................................................69
      8.2. Path MTU (PMTU) Discovery .................................70
          8.2.1. Propagation of PMTU ................................70
          8.2.2. PMTU Aging .........................................71
  9. Auditing .......................................................71
This, presumably, is the right level of detail, with contextualization about the non-protocol aspects. --[[User:Howard C. Berkowitz|Howard C. Berkowitz]] 09:11, 1 March 2010 (UTC)

Latest revision as of 03:11, 1 March 2010

This article is developing and not approved.
Main Article
Discussion
Definition [?]
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
To learn how to update the categories for this article, see here. To update categories, edit the metadata template.
 Definition Please add a brief definition or description.
Checklist and Archives
 Workgroup category Computers [Categories OK]
 Subgroup category:  Security
 Talk Archive none  English language variant American English
To do.


Metadata here


Too many articles?

We currently have this article, IPSec which redirects here, and IPsec which goes into a lot more detail. Do we need some merging? I think there's a valid architecture/implementation distinction, so we might need two articles. However, I'm not sure the current articles fit the bill. Sandy Harris 04:55, 1 March 2010 (UTC)

Good point

I don't usually think packet formats are appropriate to an architecture. From the IETF architecture table of contents, RFC 4301, major headings:

  3. System Overview .................................................7
     3.1. What IPsec Does ............................................7
     3.2. How IPsec Works ............................................9
     3.3. Where IPsec Can Be Implemented ............................10
  4. Security Associations ..........................................11
     4.1. Definition and Scope ......................................12
     4.2. SA Functionality ..........................................16
     4.3. Combining SAs .............................................17
     4.4. Major IPsec Databases .....................................18
          4.4.1. The Security Policy Database (SPD) .................19
          4.4.2. Security Association Database (SAD) ................34
          4.4.3. Peer Authorization Database (PAD) ..................43
     4.5. SA and Key Management .....................................47
          4.5.1. Manual Techniques ..................................48
          4.5.2. Automated SA and Key Management ....................48
          4.5.3. Locating a Security Gateway ........................49
     4.6. SAs and Multicast .........................................50
  5. IP Traffic Processing ..........................................50
  • Presumably transport mode gets defined here?
     5.1. Outbound IP Traffic Processing
          (protected-to-unprotected) ................................52
          5.1.1. Handling an Outbound Packet That Must Be
                 Discarded ..........................................54
          5.1.2. Header Construction for Tunnel Mode ................55
  6. ICMP Processing ................................................63
  7. Handling Fragments (on the protected side of the IPsec
     boundary) ......................................................66
     7.1. Tunnel Mode SAs that Carry Initial and Non-Initial
          Fragments .................................................67
     7.2. Separate Tunnel Mode SAs for Non-Initial Fragments ........67
     7.3. Stateful Fragment Checking ................................68
     7.4. BYPASS/DISCARD Traffic ....................................69
  8. Path MTU/DF Processing .........................................69
     8.1. DF Bit ....................................................69
     8.2. Path MTU (PMTU) Discovery .................................70
          8.2.1. Propagation of PMTU ................................70
          8.2.2. PMTU Aging .........................................71
  9. Auditing .......................................................71

This, presumably, is the right level of detail, with contextualization about the non-protocol aspects. --Howard C. Berkowitz 09:11, 1 March 2010 (UTC)